Skip to content

Commit

Permalink
caclmgrd: Don't block traffic to mgmt by default
Browse files Browse the repository at this point in the history
*Currently the IP2ME rules block the management interface's identity address instead of the actual host address. This logic results in a DROP rule that hits the management interface address only in the case of /32 netmask - all other netmasks will result in traffic being accepted by default. Thus, it is exceedingly likely that the current DROP rule has never worked for management interfaces given that /32 are mainly loopback addresses, not for network links.
  • Loading branch information
prsunny authored Aug 12, 2022
2 parents 06ff918 + a712fc4 commit f6ea036
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 5 deletions.
1 change: 0 additions & 1 deletion scripts/caclmgrd
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,6 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
def generate_block_ip2me_traffic_iptables_commands(self, namespace):
INTERFACE_TABLE_NAME_LIST = [
"LOOPBACK_INTERFACE",
"MGMT_INTERFACE",
"VLAN_INTERFACE",
"PORTCHANNEL_INTERFACE",
"INTERFACE"
Expand Down
4 changes: 0 additions & 4 deletions tests/caclmgrd/test_ip2me_vectors.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
"FEATURE": {},
},
"return": [
"iptables -A INPUT -d 172.18.0.0/32 -j DROP"
],
},
],
Expand Down Expand Up @@ -55,7 +54,6 @@
},
"return": [
"iptables -A INPUT -d 10.10.10.10/32 -j DROP",
"iptables -A INPUT -d 172.18.0.0/32 -j DROP",
"iptables -A INPUT -d 10.10.11.10/32 -j DROP",
"iptables -A INPUT -d 10.10.12.10/32 -j DROP",
],
Expand Down Expand Up @@ -83,7 +81,6 @@
"FEATURE": {},
},
"return": [
"iptables -A INPUT -d 172.18.0.0/32 -j DROP",
"iptables -A INPUT -d 10.10.11.1/32 -j DROP",
],
},
Expand Down Expand Up @@ -117,7 +114,6 @@
},
"return": [
"ip6tables -A INPUT -d 2001:db8:10::/128 -j DROP",
"ip6tables -A INPUT -d 2001:db8:200::/128 -j DROP",
"ip6tables -A INPUT -d 2001:db8:11::1/128 -j DROP",
"ip6tables -A INPUT -d 2001:db8:12::/128 -j DROP",
"ip6tables -A INPUT -d 2001:db8:13::/128 -j DROP"
Expand Down

0 comments on commit f6ea036

Please sign in to comment.